cbcvebase.
CVE-2011-5003
published 2011-12-25

CVE-2011-5003: Stack-based buffer overflow in the Phonetic Indexer (AvidPhoneticIndexer.exe) in Avid Media Composer 5.5.3 and earlier allows remote attackers to execute…

PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.81%
99.1th percentile
Stack-based buffer overflow in the Phonetic Indexer (AvidPhoneticIndexer.exe) in Avid Media Composer 5.5.3 and earlier allows remote attackers to execute arbitrary code via a long request to TCP port 4659.

Affected

1 ranges
VendorProductVersion rangeFixed in
avidmedia_composer<= 5.5.3

Detection & IOCsextracted from sources · hover to see the quote

processAvidPhoneticIndexer.exe
portTCP/4659
portTCP/4660
commandjunk = 'A' * 216 + sehpivot + 'A' * 732 + rop_gadgets + bufregfix
bytes
\xeb\x35\x8b\x02
  • Alert on TCP connections to port 4659 (primary) or 4660 (alternate) targeting AvidPhoneticIndexer.exe with oversized/anomalous payloads indicative of buffer overflow exploitation.
  • Detect the SEH pivot byte sequence \xeb\x35\x8b\x02 within TCP payloads destined for port 4659 or 4660 as a strong exploit indicator.
  • Exploit payload structure: 216 bytes of 'A' padding, followed by 4-byte SEH pivot, then 732 bytes of 'A', then ROP chain. A run of 948+ 'A' (0x41) bytes in a TCP stream to port 4659/4660 is a strong signature.
  • Monitor for unexpected child processes or shellcode execution spawned from AvidPhoneticIndexer.exe on Windows XP SP3 systems running Avid Media Composer 5.5.x.
  • ·The vulnerable service (AvidPhoneticIndexer.exe) may listen on port 4659 when launched as part of the Avid Media Composer suite, or on port 4660 when started standalone — detection rules must cover both ports.
  • ·Payload space is limited to 1012 bytes and uses AlphanumMixed encoding with EAX as the buffer register; detection signatures based on payload size or encoding type should account for these constraints.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.